CVE-2022-26520 - Improper Input Validation

Severity: Low2022-05-27

Security Advisories


In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties.

The Oxygen Content Fusion incorporates postgresql as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Content Fusion v4.1.6 and olderLow Oxygen Content Fusion 5.0 build 2022052605





Severity: High

CVSS Score: 7.0

The postgresql third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-26520 vulnerability description. However, the Oxygen products are not configured to allow untrusted users to supply JDBC URLs or their properties. For that reason, we have rated the severity level for our products as low.

Starting with Oxygen Content Fusion v5.0 postgresql library was updated to v42.3.4 which fixes this vulnerability.

List of Security Advisories